ITS - Office of Information Security Risk Review SLA
All SLAs are per the University’s regular business hours; Monday - Friday, 8 a.m. - 5 p.m. unless otherwise noted.
- Initial Response - someone from the Office of Information Security will begin work on your request within 3 days of receipt of your request transitioning the request from “in review” to “in progress."
- Within 5 days following the initial response, you will receive a follow-up notice with a request for additional information which may include you collecting additional data needed for the review. If you are unfamiliar with the data items being requested, OIS can assist you. This is referred to as Risk Review Triage.
- Risk Review Triage determines the level of review required:
- No Review
- Data is public and there are no other risk factors
- Will be completed within 14 days after triage is complete
- Short
- Data is internal or sensitive and/or there are other risk factors
- Will be completed within 40 days for internal data after triage is complete
- Will be completed within 60 days for sensitive data after triage is complete
- Full
- Data is sensitive or confidential and/or there are other risk factors
- Will be completed within 90 days after triage is complete
- No Review
- Regardless of status, client(s) will be provided an update in the request ticket on a weekly basis.
To learn more about types of data and their classifications, visit our Data Governance website. You may find the Data Classification Decision Tree especially useful.
Learn more about Risk Reviews as a service provided by the ITS Office of Information Security.
IT Acquisition review teams work alongside each other. Requests are not considered done until all required reviews are resolved. This SLA is for the ITS Office of Information Security to evaluate risk to the University and compatibility with security standards.